Information Security Policy

Effective Date: 01 October 2024

1. Introduction

WorkPermitCloud Limited ("WPC") is committed to ensuring the security, integrity, and confidentiality of personal data processed by our websitehttps://www.righttoworkcheck.co.ukand mobile applications ("WPC Employer" and "WPC Candidate"), collectively referred to as the "Services". This Information Security Policy outlines the procedures and mechanisms in place to protect the sensitive personal data of employers and candidates, ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable UK data protection laws.

2. Scope

This policy applies to all data processed by WPC in connection with the Right to Work checks, including but not limited to:

• Employer Data: Organisation name, job position, employer email, candidate name, candidate email, candidate phone number, job type, and work hours.
• Candidate Data: Passport, Birth Certificate, Biometric Residence Permit (BRP), Certificate of Sponsorship (COS), Asylum Registration Card (ARC), and other personal data required for completing Right to Work checks.

WPC stores all data on the AWS Cloud platform, utilizing encryption and security measures to ensure the integrity and confidentiality of all personal data processed.

3. Data Protection Principles

WPC complies with the following principles under GDPR:

• Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner.
• Purpose Limitation: Personal data is collected for specific, legitimate purposes, such as fulfilling Right to Work checks as per the UK Home Office’s guidance.
• Data Minimisation: Only data necessary to complete the Right to Work process is collected and retained.
• Accuracy: WPC takes reasonable steps to ensure that personal data is accurate and kept up to date.
• Storage Limitation: Data is retained only for the period required by law, after which it is securely deleted.
• Integrity and Confidentiality: WPC ensures that personal data is stored securely to prevent unauthorized access, loss, or destruction.

4. Data Security Measures

WPC employs industry-standard security measures to protect personal data from unauthorized access or breaches, including:

• Encryption: All personal data is encrypted both in transit and at rest using robust encryption protocols to safeguard sensitive information.
• Access Controls: Access to personal data is restricted to authorized personnel only, based on their job responsibilities. Multi-factor authentication (MFA) and role-based access controls (RBAC) are implemented to prevent unauthorized access.
• Regular Security Audits: WPC conducts regular internal and external security audits to identify and mitigate potential vulnerabilities.
• Third-Party Security: WPC collaborates with third-party service providers such as AWS, Proxy, Microsoft, Mindgrape, Stripe, and companies to process personal data securely. All third parties are subject to rigorous security standards and GDPR compliance.

5. Cloud Security

Data is stored on Amazon Web Services (AWS), which complies with industry standards, including ISO 27001 and GDPR. AWS offers advanced data protection features, including:

• Data Encryption: Both at rest and in transit.
• Network Security: Virtual Private Clouds (VPCs), firewalls, and network access control lists (ACLs) provide enhanced security.
• Monitoring and Logging: Continuous monitoring of AWS systems to detect security incidents.

6. Incident Response and Breach Notification

In the event of a data breach or security incident:

• WPC will respond immediately by investigating the breach, mitigating its effects, and notifying affected individuals and regulatory bodies as required by Article 33 of GDPR.
• WPC will implement measures to prevent future incidents and document the breach response for auditing purposes.

7. Employee Awareness and Training

All WPC employees are trained on information security practices, including GDPR, and the importance of information security. Security awareness training is conducted to ensure the staff understands their role in maintaining data security.

8. Indemnity and Limitation of Liability

WPC shall be indemnified to the fullest extent permitted by law from any third-party claims related to non-compliance with the information security or data misuse of the WpcRtwEmployer and WpcRtwCandidate apps or non-compliance with this policy.

9. Review and Updates

This policy will be reviewed annually or upon significant changes in relevant regulations, technology, or organizational structure. Updates to the policy will be communicated to all stakeholders, and continued use of WPC services constitutes acceptance of these revisions.

10. Contact Information

For questions or concerns regarding this policy or any security issues, please contact us at:contact@righttoworkcheck.co.uk.

Registered Office: The Gherkin, Level 28, 30 St. Mary Axe, London, England, EC3A 8BF